Monday, 9 April 2012

Recently integrated hdiv framework into the web application I am working
on.

We had already had taken enough safety measures to secure the web
application, like

1. Always encoding the outputs (like always output from jsp using
<C:out> with xml encoding instead of just printing them)

2. Code to secure against SQL injections

3. etc.

But HDIV is an interesting framework, it seamlessly integrates
with the existing application, no need to change the existing code (most of the
time) and secures web application mainly against following attacks.

1. Cross site Scripting

2. SQL Injections

3. URL Tampering (I really like this protection, IMO only the links in
the web site should be used for navigation, user should not be able to change
the URL, especially the values in the path to navigate)

4. Spring bean auto binding, etc.

There are good documentsaboutHDIV in its website hdiv.org, but did found much documentation about its
integration with existing applications. So decided to explore my self and found
an interesting example implementation at https://github.com/hdiv/hdiv-spring-mvc-showcase,
downloaded that and explored, it is really awesome. So I am documenting some
simple steps to integrate hdiv with your existing spring application.

Step 1: Dependencies

Include following dependencies in your project, for maven,

<dependency>

<groupId>org.hdiv</groupId>

<artifactId>hdiv-core</artifactId>

<version>2.1.1</version>

</dependency>

<dependency>

<groupId>org.hdiv</groupId>

<artifactId>hdiv-config</artifactId>

<version>2.1.1</version>

</dependency>

<dependency>

<groupId>org.hdiv</groupId>

<artifactId>hdiv-spring-mvc</artifactId>

<version>2.1.1</version>

</dependency>

<dependency>

<groupId>org.hdiv</groupId>

<artifactId>hdiv-jstl-taglibs-1.2</artifactId>

<version>2.1.1</version>

</dependency>

Step 2:
HDIV-Config.xml

Copy hdiv-config.xml to your resource folder(alternatively
classpath, sample found in the showcase app)

HDIV protected site always expects an HDIV state code to validate
the page, if you are trying to access any page without hdiv state it will
redirect you to the error page, so we have to create some initial landing page
which redirect to other page with hdiv state, following is an sample jsp for
initial landing page

name: index.jsp

<body>

<c:redirect
url="login/login.html"></c:redirect>

</body>

</html>

include this file in welcome pages list in web.xml and place it in the
root folder and add the root folder as starting pages folder in hdiv-config.xml,
example

<hdiv:config
errorPage="/error.jsp">

<hdiv:startPages>/</hdiv:startPages>

<hdiv:paramsWithoutValidation>

<hdiv:mapping
url="/job/[0-9]*/.*/update.ht"
parameters=".*"/>

</hdiv:paramsWithoutValidation>

</hdiv:config>

All the files in the root folder(/) is considered as landing or starting
page, so will be exampted from validation for hdiv state.

Important
points:

1. Spring tags 3.0 and later has build in support for hdiv, so they can
be simple used along with hdiv, but to use previous versions of
spring tags, you may need to point your tlds to customized spring tlds, please
refer the hdiv document for more details.

2. When using along with spring security or other frameworks which
intercept the request and redirects to different pages, special care should be
given otherwise it will end up in indefinite redirection loops. I had
spring security in the project, so moved all the spring security related
files(login, logout, etc) to different path which will not be intercepted by hdiv
for more clarity.

1. <hdiv:config> section, which is used to configure the
start pages path, error page and validation exceptions

2. <hdiv:validation> section, which is used to define the acceptable
input formats

3. <hdiv:editableValidations>section, which is used to associate the
validations defined in<hdiv:validation> section with paths.

HDIV is really an added protection to the sites, developers may miss few
things when protecting the site. By using a framework like HDIV, developers can
concentrate more on building the logic than protecting each and every
page.

15 comments:

Good one!! Can you give the configurations for using with Spring Security. I have tried with excluding the spring security pages in the hdiv-config.xml. But still, am not able to get to the login page. Is the landing or starting page should be applied to all the page?

Actually you have to exclude initial/landing hdiv hash generating page from spring security. In my example above the index.jsp file in Step 5 should be excluded in spring security. you don't need to exclude any thing else from hdiv or spring security. Hope it helps. All the best...

Thanks for your response Nutpan. I ran into some other problems and is described below.

I have included the initial landing page as index.jsp and redirected to the login page. The login page is displayed but the CSS and the images are not displayed.From the logger I could see the error message

Nuptan, I did not properly use the C tag. After inputting the correct syntax, I was able to do it correctly.

Also, I have one question, can we exclude any page from the HDIV validation. Like, it is not the starting page, but it is some URL that caters to the AJAX request. I tried to configure it within the tag and it didnot work. Also what is the purpose of . DO you know anything about it?

Hi, I have configured HDIV as you have said. However, when I submit a form with text that would fail the editable validations it puts an error message in the log but it still proceeds as normal and submits the form to the controller; it doesn't block the request. Do you have any idea what could be wrong?

EditableParameterValidator is not working, I tried to debug the class, found Hashtable editableParameters = (Hashtable)RequestContextHolder.getRequestAttributes().getAttribute("org.hdiv.action.EDITABLE_PARAMETER_ERROR", 0);